RSS

How-To Geek

You’ve probably heard that you need to overwrite a drive multiple times to make the data unrecoverable. Many disk-wiping utilities offer multiple-pass wipes. This is an urban legend – you only need to wipe a drive once.

Wiping refers to overwriting a drive with all 0’s, all 1’s, or random data. It’s important to wipe a drive once before disposing of it to make your data unrecoverable, but additional wipes offer a false sense of security.

What Wiping Does

When you delete a file using Windows, Linux, or another operating system, the operating system doesn’t actually remove all traces of the file from your hard drive. The operating system marks the sectors containing the data as “unused.” The operating system will write over these unused sectors in the future. However, if you run a file-recovery utility, you can recover data from these sectors, assuming they haven’t been overwritten yet.

Why doesn’t the operating system delete the data completely? That would take additional system resources. A 10 GB file can be marked as unused very quickly, while it would take much longer to write over 10 GB of data on the drive. It doesn’t take any longer to overwrite a used sector, so there’s no point in wasting resources overwriting the data – unless you want to make it unrecoverable.

When you “wipe” a drive, you overwrite all data on it with 0’s, 1’s, or a random mix of 0’s and 1’s.

Mechanical Hard Drives vs. Solid State Drives

The above is only true for traditional, mechanical hard drives. Newer solid state drives supporting the TRIM command behave differently. When an operating system deletes a file from an SSD, it sends a TRIM command to the drive, and the drive erases the data. On a solid state drive, it takes longer to overwrite a used sector rather than writing data to an unused sector, so erasing the sector ahead of time increases performance.

This means that file-recovery tools won’t work on SSDs. You also shouldn’t wipe SSDs – just deleting the files will do. SSDs have a limited number of write cycles, and wiping them will use up write cycles with no benefit.

The Urban Legend

On a traditional mechanical hard disk drive, data is stored magnetically. This has led some people to theorize that, even after overwriting a sector, it may be possible to examine each sector’s magnetic field with a magnetic force microscope and determine its previous state.

As a solution, many people advise writing data to the sectors multiple times. Many tools have built-in settings to perform up to 35 write passes – this is known as the “Gutmann method,” after Peter Gutmann, who wrote an important paper on the subject — “Secure Deletion of Data from Magnetic and Solid-State Memory,” published in 1996.

In fact, this paper was misinterpreted and become the source of the 35-pass urban legend. The original paper ends with the conclusion that:

“Data overwritten once or twice may be recovered by subtracting what is expected to be read from a storage location from what is actually read… However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive.”

Given that conclusion, it’s pretty obvious that we should use the Gutmann method to erase our drives, right? Not so fast.

The Reality

To understand why the Gutmann method isn’t necessary for all drives, it’s important to note that the paper and method were designed in 1996, when older hard drive technology was in use. The 35-pass Gutmann method was designed to wipe data from any type of drive, no matter what type of drive it was – everything from current hard disk technology in 1996 to ancient hard disk technology.

As Gutmann himself explained in an epilogue written later, for a modern drive, one wipe (or maybe two, if you like – but certainly not 35) will do just fine (the bolding here is mine):

“In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques… In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don’t understand that statement, re-read the paper). If you’re using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, “A good scrubbing with random data will do about as well as can be expected“. This was true in 1996, and is still true now. “

Disk density is also a factor. As hard disks have gotten bigger, more data has become packed into smaller and smaller areas, making theoretical data recovery essentially impossible:

“…with modern high-density drives, even if you’ve got 10KB of sensitive data on a drive and can’t erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 200GB of other erased traces are close to zero.”

In fact, there have been no reported case of anyone using a magnetic force microscope to recover overwritten data. The attack remains theoretical and confined to older hard disk technology.

Beyond Wiping

If you’re still paranoid after reading the above explanations, there are a few ways you can go further. Performing 35 passes won’t help, but you can use a degausser to eliminate the drive’s magnetic field – this may destroy some drives, though. You can also physically destroy your hard disk – this is the real “military-grade” data destruction.

Comments (126)

Good article, thanks. Do you by any chance know if dragging a magnet along an HDD will erase the data (destroy the drive) or is it just another urban legend. In case it is not how strong would a magnet have to be?

I’m particularly curious about the statement that SSDs have a limited number of times data can be written. It must be a pretty large number – think of the amount of data being written and rewritten on a smartphone (all of which use SSD). How does this affect the lifespan of SSD vs. a traditional HDD?

You have lost the last of your credibility on this one. I have recovery software designed to extract over written disks. The process is basically forensic science against lax security. Using simple filters to subtract the ‘patterned’ overwrite will reveal enough evidence to prosecute in a US court of law. Use a 3-pass pseudo random for most re-use issues, 7-pass if you have stuff you don’t want the average geek to find. Otherwise it CAN be recovered with forensic software. My forensic OS can find things that will make most PC owners blush, or furious – LOL

The SSD max-writes issue is nothing new, it’s just about magnitude. Your magnetic HDD can only be written to so many times, also, even though it’s many more. Ever had a bad sector or read error? These actually happen all the time, except that modern drives are configured with a cache of extra sectors that are used to replace the bad ones when they pop up, one at a time. It’s only when those extras run out that we actually start to “see” the bad sectors when trying to read a file.

@Cody
The last time I heard the number, it was somewhere around 900 writes and that sector is dead. I would assume newer drives have more then that, but I haven’t heard any newer numbers. I would also assume that modern software that supports SSD drives knows this and will adjust it’s writes accordingly. If I remember correctly, Windows 7 and Windows 8 try to avoid writing to the paging file for that exact reason.

As for lifespan, a properly taken care of HDD will last years longer then a SSD drive, but for most uses, the PC will die before ether drive.

no this is wrong! I have done EXTENSIVE tests on HDD erasing, and 1st off a Hi lvl formats NEVER erase ALL the data! no matter how many times you do it, the reason is because this type of an erase only erases half the data. 2nd doing a low lvl format will erase 99.98% of the data with one pass. you CAN still recover data after just one pass of a erase. doing a low lvl format @ least 2-3 times WILL delete ALL data! and SSD formatting is completely different. older versions of darik’s boot and nuke does nothing for SSD’s. they require specifically written software to erase them. and SSD’s can be wiped in one hit because they use nand flash ram and can be wiped in just 3 seconds.
btw TRIM don’t work in a raid configuration. btw smashing a HDD will not destroy data, it CAN still be recovered. btw again SSD’s do not have a limited # of write cycles, my ssd’s are capable of out lasting my hdd’s as they have 200m hr life span. btw re-again, using magnets on hdd’s will wipe data but this can take a bit longer deepening on the strength of it. and to strong and it will render the hdd completely dead.

An important addition: there is equipment and software available that can recover data from basic wipes. The FBI utilizes it for forensic data recovery (though, as with anything, there are those out there with the proper tools to do this). To avoid this, a minimum of 7 overwrites is required to make it unrecoverable. Another note: physical destruction (hammer) is not as effective as you would likely hope. The drive platters can be rebuilt, aned data partially recovered to anyone with the proper equipment. The good news there is that is requires a class 1 clean room. It is still possible, though.

Okay, maybe I am just being slow today (very possible!), but the Gutmann article to which you refer says “For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do.” – so how to you arrive at your “This is an urban legend – you only need to wipe a drive once.” statement from that?

Personally, I always figured 3 passes of random data was a pretty good compromise – or just trash the drive with a hammer.

Thanks for the dose of reality ! I actually use the programs (FTK and Encase) that some others talk about. Computer forensic software reads data from hard drives exactly the same way that a disk editor does, the specialization is in the ability to search for images and text and present the data to a non-technical person such as an Assistant US Attorney, the case agent, or a jury member. Non-technical folks hear about recovering data (marked as) deleted by the user, but tend to tune out the rest of the explanation of why the data is still on the disk.

So if you use a disk editor and see gibberish, that’s what I’d see also. If you look at the advertising for forensic software, you will never see a claim to “recover data from x times overwritten drives”. You can bet they’d trumpet that from the rooftops…if it were possible.

To destroy the drives once they are no longer evidence, we use DBAN with a 1x wipe of random data. I drill a hole through the drive just so that dumpster divers won’t find something usable in our trash.

If you want to do a Guttmann wipe, shred the drive in a metal recovery shredder, mix the pieces and send them to multiple furnaces for smelting, go ahead. But don’t belive it’s necessary to prevent data recovery.

The problem with most of these file/drive wipers is that there is no ‘random’ data created by them. This requires a human input, otherwise it is pseudo-random. By creating a simple bot to use encrypted screenshots of a very busy page or public domain pictures as the source file(s) [for wipe] you introduce the human element. HTG has not done their homework on forensic science and should NOT be relied upon for advise in this matter. It’s nice to see that there are others like me with at least SOME knowledge on the subject. As for physical destruction; acid bath on the platter.

I agree with clamo. I’ve spoken with some “people” in the data recovery business, and it’s amazing what determined organizations can do to recover data from a drive that’s been overwritten even a few times, including using lasers to microplane the disks (don’t ask me for technical details, hehe).

The most efficient way to make sure your data is not recoverable, from what they said, is to drill a hole right through the disk and platter(s). 3 holes if you’re paranoid.

I happen to know a little bit about digital forensics… I have personally recovered data from a drive that I personally did 35 passes on for a test. Was the data readable? No, it was not. Was some of it still in tact? Yes, it was. Also, a real urban legend is that breaking a HD platter will destroy the data. While HD platters are very fragile and even one dust particle can cause damage, it is still possible to recover data from HDs after they have been broken. They key here is that you don’t need an entire file to make a legal case against someone, if you have enough fragments and can make a reasonable case with those fragments, then you have accomplished your objective. I agree that HTG has lost credibility on this article. From now on, I will just be looking on this site for the comics… the articles have lost any credibility that they may have had at one time from my point of view.

Side note here… if you were to break your HD to try and make it so that data couldn’t be recovered, defrag it first, then break it into as many tiny little pieces as you can. That will make it harder to recover the data. :)

“In many instances, using a MFM to determine the prior value written to the hard drive was less successful than a simple coin toss.

This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error.

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. … The forensic recovery of data using electron microscopy is infeasible. … The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.”

@thegeekid: There is but one way for me to do this. I would like to engage you in further conversation. My very public email is Keith_EL(@)hotmail.com It’s already spammed so I’m not concerned about releasing it here. Drop me a line. I need a fellow geek on my friends list. Most are family and have not a clue – bless their hearts.

Find your local metal smelter, or build one yourself ( lindsaybks.com ), then do the ‘Terminator’ destruction method.

Even a bullet to the drive leaves data, it is just much harder to read, and the ‘casual data droid’ won’t bother.

Personally, I destroy drives for friends all the time. I reformat the drive, install Linux on it, use it till it won’t work anymore, the just trash it, because all the data I have on there is non-proprietary, non-personal, and mainly open-source.

Normally I take old computer equipment to a certified recycler when I am done with them, who is bonded for such things. They have been in business a long time, so they seem trustworthy (especially when there is nothing to be gained). Metal, plastic, glass get recycled, so it is basically ‘earth friendly’ too (a good thing(tm), even if that isn’t my main goal).

“In many instances, using a MFM to determine the prior value written to the hard drive was less successful than a simple coin toss.

The purpose of this paper was a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure. This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error.

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over time. Further, there is a need for the data to have been written and then wiped on a raw unused drive for there to be any hope of any level of recovery even at the bit level, which does not reflect real situations. It is unlikely that a recovered drive will have not been used for a period of time and the interaction of defragmentation, file copies and general use that overwrites data areas negates any chance of data recovery. The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.”

@jxf011:
I’m sorry, but that is just plain wrong. Maybe everyone on here should actually learn about digital forensics and how it is actually done before trying to support or discredit this article. My personal experience has shown that this article is wrong. (To be honest, I wish it were correct… but it isn’t.)

I am not an expert, but is a matter of common sense. If you have a TXT file and replace all characters with ‘A’, all the info you will recover from the file wiIl be ‘A’s. If you encrypts properly a file or HDD, the data would be of no use (there are documented cases where the FBI has been unable to recover data from an encrypted drive). If you overwrite every bit of a HDD with 0s (kind of encryption), the recovered data will only be 0s. I don’t see a way to find out if the previous data was 0 or 1.

Because no matter how hard you try, your data is fragmented. We forensic technicians use those fragments to piece together pieces of the puzzle. Solid state drives are a little harder for us to recover, but I work with people who can. Encryption can be a problem for us, but if we really really want that data and are willing to wait, we can get past it using some advanced brute force algorithms and supercomputers. In reality, there is very little data that is truly worth recovering (even for evidence) if it is encrypted using a decent encryption. Forensics is NOT however; what the media would like you to believe. We can NOT just sit down at a random computer, start typing away, and find deleted data from 35 years ago in 1 minute like MaGee on NCIS can. ;)

You are clever Jacksam. I would use multiple (recursive) encryption (different algorithms, different keys) then wipe twice or three times. No supercomputer in thousand years will recover useful data. Gotcha forensics :-P

Look, I’m not knocking anybody’s (Keith’s) expertise here, but if I have a 1TB drive, and a full overwrite doesn’t get rid of the contents, then don’t I have a 2TB drive? Since we can have, at the same time, the original 1TB of data, and then the 1TB I overwrote it with? Obviously this theory is highly flawed, but if each bit can either be a 1 or a 0, and we overwrite the whole thing with 1’s (let’s say), how do you get anything from that?

On a more serious note, you also have to ask what you might have that anyone would put forth the effort to get at your files. They won’t go to these lengths if you’ve just downloaded some films (the kind you can see in theaters). They may not even go to these lengths if you’ve downloaded the illegal kind of films (although, they may if you’re the one producing them). I would think they would only put forth this kind of effort on the hard drives of spies and terrorists.

I remove the platters and beat them with a hammer. But the only worry I have is sensitive company/accounting info and possibly a credit card# in a cache somewhere. The forensics would cost more than anyone could hope to steal.

By the way, if you ever discover unclad pics of someone born too recently, super-destroy the data. If you bring it to cops, you obviously possess it, and to identify it, you had to have viewed it. Yes, there is a very high probability you will be arrested. That arrest will ruin you forever, conviction or not. Never, ever tell anyone you saw it, even under oath.

The last paragraph is personal advice to me from a federal law enforcement officer.

@phanmo .. I too am interested in just what an ‘induction’ stovetop unit would do to a hard drive and the data. I’m pretty sure the unit would be heated to levels well past the maximum operating parameters and probably render the drive totally useless (and the data too). But it would be nice to hear from someone who has actually done this and tried to recover the data.

As for the article .. two ‘zeroing’ passes of the manufactures diagnostic program is more then sufficient for the average home user. But I was glad to see the mention of ‘mil spec’ degaussing. Years ago, data could be recovered even after 7+ ‘zeroing’ passes. Now that higher magnetic densities of drives are possible, one should not be lulled into thinking that data recovery technologies haven’t improved also! I’ve heard that some data recovery companies can even recover data from drives involved in extreemly hot fires (for a price)!

My technique is to run over it with my hummer, then 6 or 7 rounds from my 9mm Glock, after which I melt it into a recyclable ingot. This might be over kill for most, but at least MY data is safe!

Bottom line .. If you want to protect your data .. keep the drive, dismantle it and have fun with a hammer or any other means of destruction you can think of, enjoying each moment. Drive are cheap .. YOUR DATA IS NOT !!!

I am well was really into computer security I got a injury and cant work anymore. I know this from doing security I at least and I know others in the field that become almost paranoid about security and privacy. No one borrows or uses my laptop computer someone using it makes me feel more uncomfortable than someone looking through my wallet or my stuff using my laptop is a big no-no. When its time to retire a drive I go extreme on it. Anytime I pull a drive and its good but I don’t have an immediate use for it I will do a 7 time wipe and store it. If a drive goes bad or I consider it not worth hanging on to I will take and shoot them usually 4-5 times. Next step I remove the damaged platters and cut them into 10-14 pieces each I drop the pieces into a small crucible that melts metal and let it have its way with the pieces after there cooked I dispose of the slug. I know that way overboard I shoot them because its fun and its pay back to the computers for the trouble they give me. Everything else on a computer I either keep, sell, or take it to our household hazardous waste facility the have a special day 2 times a year when they take computers. Its important to me to dispose of properly/ recycle computers and the monitors. The old CRT style monitors have a lot of lead in them and the circuit boards of monitors and computers have some nasty chemicals in them so its important that they don’t get thrown in a local dump.

Basicaly, the drive is so dense that it would be impossible to recover stuff, even if you only wiped it once.

@Everyone

I’m sure the FBI would love us to think that they can recover wiped data, but assuming a proper wipe was done, I doubt it. Is there any evidence of this actually happening?

If you really need data destruction with 100% confidence, physically destroy your drive. “Smashing” a hard drive may not work, but you can go farther — say, grinding it up into powder — if you really want to destroy it.

@thegeekkid & Others

It’s sad that so many people are saying we’ve lost credibility. This article isn’t just a ramble, it quotes an expert source.

If anyone thinks one wipe isn’t enough, can they find any sort of expert study or case of data ever being recovered from a modern, wiped drive? I couldn’t, and the expert sources I consulted seemed to unanimously agree with this.

If anyone can find actual evidence that what we published here is wrong, I will gladly retract the post and write up an apology.

So far I’ve just seen a lot of references to disk forensics software. Governments would love for people to think that wiping hard disks is useless because they have amazing software that the experts believe is impossible — that way no one will bother wiping their disks even once.

Hey…one of these fine summer evenings when you have a camp fire burning in your backyard just drop the Ole HHD into the fire and let it roast for a couple hours, I’ll bet the data will be gone or I think it will be gone.

I enjoy reading this type of information. If I plan to reuse the drive as a drive then DBAN is the way to go. If the drive is not usable then I find that there are many interesting components inside that can be turned into art and craft things. Windchimes, clocks, and other technical looking junk.

-1 on this. I have a friend who tried to recover from a dead PC by reimaging with OEM restore discs, but wanted her photos and documents back after the reimage failed. It had still wiped and overwritten much of the drive. Long story short, I used a freely-available utility and extracted 260GB of data from her 80GB drive… including files that had clearly been overwritten repeatedly. Got most of her photos for her, and a ton of “clutter.” Mostly internet browser cache crud.

Wiping your drive before you dispose of it is to protect you from the amateur info thieves who DON’T have access to super-duper file recovery software, nanobots or hard drive fairies. Anybody or organization that does have access to that kind of technology doesn’t need your old hard drive to get that info since you’ve already spread it all across the internet. If you are doing something that catches the interest of the men in black suits with unlimited resources, maybe you should consider a lifestyle change.To quote (or mis-quote) Mark Twain, “It’s easier to stay out than to get out”.

I believe that if one has that much to hide, the concern is not with conviction as battle has been previously waged and lost and this will just be another fraternity reunion.

Oh, regarding a limited number or writes. It’s non-contact magnetic storage media for Pete’s sake – what’s to wear out? I can understand defective coatings but not limited write cycles. I have an old Dell that’s been running continuously for 15 years still on NT4 SP1. How many writes and revolutions do you suppose that little WD spinner has completed?

I agree with Keith, physically, really physically, destroy the platters – use chemics or fire to render them to metallic waste byproducts.

Interesting article! The varying point of view in the comments inspires me to do my own testing/research. Personally, I’ve only done single pass wiping in the past, but I didn’t have highly confidential information to protect in those cases. If it is really critical- taking a blow torch to the platter is definitely the best option if you have access to one!

OK, let me sum up my points here:
1. I have done testing with magnetic HDs.
2. In that testing, I used old HDs that people specifically gave me permission to use for this, and I wiped them with the following amount of wipes using a couple different programs: 1 wipe, 2 wipes, 5 wipes, 7 wipes, 35 wipes.

3. After 1 wipe, using forensic recovery software that I had available to me, I was able to recover quite a bit of usable data. After 2 wipes I was still able to recover some usable data. After 5 wipes, I was only able to recover fragments of files. After 7 wipes, it was getting extremely fragmented, and unusable. After 35 wipes, I was still able to recover some bytes of data, but I will admit that it is possible that those where just coincidence.

4. I did not bother to use proper documentation of my experiment because this was for my own curiosity, and because I have a job as a digital forensic technician, so that helped me gain experience for my job.

You can choose to believe me or not. At this point, I don’t care anymore, and I will not be checking this thread any more to see the comments.

Petsobally, I would suggest if you overwrite the sectors with random data ONCE, you will be safe. I think everyone else is talking crap. If there’s any variability in calibration if the write head, you may have a small chance to recover some data. Notice that the “nay sayer” experts had a clear lack of industry terminology.
A friend of mine is highly paranoid. He likes his 35 wipes. I tell him to go ahead, of it makes him happy.

This article is patently incorrect. One wipe will not do the trick. I have worked in data recovery for years. Every day I pull data back off of drives that are anything from a decade old to, on occasion, a couple of months old. A single wipe does NOT do the trick. I am not sure where the author gets the statement, “In fact, there have been no reported case of anyone using a magnetic force microscope to recover overwritten data” but we do it every day. We are even able to retrieve data from physically incinerated disks. I have seen some of our engineers pull data off of melted and warped platters.

This article is dangerous to your data security. While 35 wipes is indeed overkill in almost all cases, one or two wipes is NEVER enough on a non SSDD disk no matter how old it is.

Bottom line: If you really want to make sure your data is gone — say, if you have the nuclear launch codes on there — I’d melt it down or grind it up into powder. You never know if the software is actually working properly.

@Chuck

“260GB of data from her 80GB drive”? I doubt it.

You may have recovered some data because she re-imaged instead of performing a single, thorough wipe. I never claimed that an OS restore would erase everything — a wipe is different.

@Nick

That would be an awesome test, but I’d need some additional hard drives and I imagine the industrial-strength forensics programs cost a lot of money, and it would take quite a bit of time — someone should definitely do that, though.

@Brian

Really? You use a magnetic force microscope to read bits one-by-one every day? Expert studies have found that the odds of recovering a single bit are no better than flipping a coin, and examining each bit one by one would take forever. MFM is different than forensic software.

Why bother worrying about wiping the drive, when using strong disk encryption like TrueCrypt removes the need to do so? I believe everyone should be doing this – a stolen PC is one thing, but stolen financial information, personal photos, etc. is a whole other matter.

From the research I’ve done in the past pertaining to magnetic storage, it is possible to extract fragments of unencrypted data from drives even after they are overwritten. But it’s a technically indepth process and not guaranteed to work. The real forensics work involves the exploration of scattered metadata and redundant data, and correlating that data with other sources (network access logs, etc.). Windows apps are notorious for leaving data trails all over the place.

Was this article written at the behest of an alphabet agency with the intent of disinformation?

There is so many inaccurate assertions in this piece I don’t know where to start….or if it’s even deserving of it. It reads like something an ignorant 4th grader wrote back in 1999 for their “computer sciences” class.

Most of my clients work for big corporations that are continuously upgrading or purchasing new systems, and so, I must destroy about a minimum of twenty HDs a year for security reasons. I never use disk-wiping utilities. I take the platter out of the HD case & destroy it, even easier if it’s a SSHD. With the right tools any HD platters can be removed and destroyed beyond repair in minutes.

Loving how all of these “forensics experts” have recovered “data” from hard drives overwritten several times by random data. I believe you need to define the “data” you’ve recovered. Case in point @thegeekkid, “Was the data readable? No it was not.” If it wasn’t readable, then how did you recover data from the drive? That does show that you certainly know a (very) little about digital forensics. You just “recovered” the random data you wrote to the disk. I hope you didn’t seriously think you recovered something even remotely usable after 35 passes.

The same thing with @Keith who claims to have figured all of this out and rendered those erasure methods useless. “I have recovery software designed to extract over written disks.” Sounds totally reasonable and makes sense why you’re posting it here and not completely revolutionizing the digital forensics world in selling that software because everyone and their mother would want it. You can’t “subtract out” something written on a disk with software. It’s not some additive equation where if you overwrite a 1 over a 0, then come back and subtract the 1 then you get the original 0. If you were aware of how magnetic disks are written, you would know you’ve completely debunked any possibility of competency by making that statement. What you are referring to was attempted using STEM by various researchers and ended up being proved that the prediction of the previously written bit by STEM was as accurate as flipping a coin.

A lot of “forensic experts” in on this discussion, which is usually the case and makes it easy to weed out these internet forensic experts from the actual experts. Please, people, don’t take any of this information as credible and do your own research. If you don’t believe one pass is enough, do your own research and attempt to recover data in a controlled and repeatable fashion on your own. You may find that this article, although too simple for some to allow themselves to believe, is correct.

Adapt a fish tank air tube to an container of brake fluid then connect that to the breather holes in your hard drive all separated by an air line switch. When the drive is running flip the switch and when the brake fluid comes in contact with the drive it will scrub off all of the magnetic coating on the disk rendering the drive clean and your data sludge.

Wow people, come on. “lost all credibility” that’s a bit harsh don’t you think? Anyone can make a mistake. It is ONE article we are talking about. I have read many interesting facts and learned some fascinating tips using HTG. Yes, maybe the person who wrote the article needs to do a bit more research? I’ll guaranty this isn’t the first, nor will it be the last bit of wrong info we read somewhere..

One thing I failed to mention… Without exact proof of your claims that this article is bogus, how should anyone just take your word that it’s wrong? Like “Forensicator” has made mention of, we are just supposed to take your word that YOU are the expert here? I would lean towards believing the article over someone just spouting arguments.

FYI, there is a company in Hungary called “Kürt Rt”. They do mainly two things: restore data for individuals and companies for extreme amounts of money, and restore sensitive/evidental data for police and governmental agencies all around the World.

They can restore data from HDDs overwritten many times.
They can restore data from HDDs beaten with a hammer.
They can restore data from HDDs burnt in fire.
And they can do much more…

A friend of mine had some important stuff on a HDD that catched fire. He decided it worths him enough to pay 2-3 months of salary to get it back. They did it…. and even more – he was surprized to get tons of data back that he deleted YEARS AGO, and that HDD was wiped quite a few times since that.

So much for “urban legend”… Yeah, a typical person won’t be able to do these. A typically available restore software won’t see anything that was overwritten once or twice… but if someone can physically get that HDD and they REALLY want the data… well… the above should have given you an idea about what is possible. They are able to analyze even fragments of disks.

As far as I know the ONLY way to stop professionals from restoring anything is to totally destroy the metallic disks in the drive, such as melting them. If you just shoot a hole in them with a gun or something like that, the rest of the disc remains readable for them. They just take it apart and analyze every square millimeter of it.

@Storm: If you have any way to prove that, with a bit more detail on specific conditions, I would be interested to see it. It sounds like they have a good marketing department anyhow.

@Keith, thegeekkid, others: The post by Forensicator reflects my feelings exactly. Do your own research, everyone. Don’t believe self-appointed ‘experts’ in comments on a public blog, just because they say they are. If credible references are cited, that has value. This article cites good references, the ‘expert’ comments contradicting it do not. Chris Hoffman said in a comment- “If anyone can find actual evidence that what we published here is wrong, I will gladly retract the post and write up an apology.” I haven’t seen that evidence cited yet.

Interesting reading and arguments, but it seems pretty one sided here right now favoring 1 wipe being sufficient, and the reason for that is citation.

Perhaps some of you have experience recovering data, but its irrelevant if you don’t have scholarly documentation to back it up. I would love to read some counter literature, such as citing your textbook or a published article in a scholarly journal.

All I’ve seen so far is forum links, software ads and citing yourself, which unfortunately doesn’t really count if you’re trying to make a weighed argument, especially to the world.

Some of us have written from personal/professional experience; there is no scientific record – just results.
Since you seem to think I need my own citations I give you only the FIRST one I found. It does not support all of my arguments since I was not clear enough in my presentation but, I’m not trying to convince the world how (not) to protect themselves from predatory criminals. This will be my last check on this thread as well. Had a great time with the debates :)

blummin heck… what kind of scary level s*it are some of you guys working on… I just want to make it so if anyone found my HDD in the bin they wouldnt find the pics of me and my girlfriend reinacting that one scene from one night in paris….. ooops i mean… our holiday pics.. I really doubt the FBI would be interested in my HDD’s and im guessing the likly hood of a hobo finding my HDD while looking for last nights pizza will have some top level forensic software and even if he did the worst he could do is put thos pics on the internet.. again… :-o

It’s not really a shot at you personally – an argument from people with personal/professional experience needs to carry some weight with it. For example, there’s not much stopping me from saying I have 30 years of technical experience in the field and this is what I’ve experienced (and granted, I do sometimes say things like this). However, when it comes down to it, with two entities on the Internet telling the other they’re wrong, you basically must assume both parties are lying, which is pretty much what a publication for peer review by members in the field is all about, and where there’s evidence, there is almost always a study behind it (although the interpretation of the results is often suspect).

I looked over the information you provided and it was interesting, although most of it was relating to what the government defined as the secure erasure of the disk, and some of their sourcing was rather suspect (software sites, slashdot, etc.), still it was interesting to glance over (less the context of the presentation).

To be honest, I suspect the answer may still vary quite a bit from documentation I’ve read before now, especially when we’re considering older disks in the mix. A lot of the documentation may have a bias to it as well, as at the end of the day the engineer responsible there will be taking a lot of his information on the promise his part supplier has provided, etc, and the error margin only widens from there.

All that said, probably one of the best ways to protect your data is to encrypt the entire volume prior to writing anything to the drive – even if the data is recovered, a lot of that information has become relational now and is subject to other data that has been lost altogether when you do clear the volume, and a royal pain to get at if the volume hasn’t yet been overwritten. If you ran this across a raid configuration that breaks up the data, all the better since that data will be extremely difficult to recover, especially those who are experts in the field.

Hey guise, chill out, I got this.
I’m actually a sooper dooper seecrit spy.
This article is all false. In fact, after a 32,896 pass wipe, I can see all your porn by just looking at the keyboard.
Trust me, im an Xpert. I have to be vague about my sources and experience so no one finds me. It’s not like anyone lies on the internet anyways.

I made a simple test myself. Connected an extra HDD (empty) to my computer. Created a plain file with a text. Saved it. Closed it. Defragmented the HDD. Reopened the file. Filled it with the letter ‘X’. Saved it. Closed it. Defragmented the HDD. Deleted the file. Defragmented the HDD. Used a free recovery utility and only found the modified version of the file (filled with ‘X’s). No traces of the text I wrote. Conclusion: No ‘shadow’ info remained after an overwrite.

Well, I never heard about 35 passes, but I still believe that you need at least 3 passes to make previous data unrecoverrable.

The real question is who is your ennemy ?

to hide a file from your child, putting it to the recycle bin is enough.

but for your wife, you’d better empty the recycle bin as well.

against a novice hacker who knows how to use a recovery software, a one-pass full erase will be needed.

because don’t forget that while your ennemy don’t have access to a lab to open the disk an measure the magnetic field without the help of the embedded controler, anyone who reads the disk via the sata interface will get the last data written : zeroes.

so if you feel you are wached at by the KGB or the CIA, you can make 3 cycles zeroes and ones passes, plus a random values pass. (I guess the hysteresis of the previous value is about 1/10 of the normal value, so 3 passes will reduce it to 1/1000 which is less than the level of noise)

@phanmo : if you use a microwave oven or an induction burner, you’ll get nothing good because the disk package is made of metal and will absorb the induction before it goes to the disk magnetic surface. you can even damage your oven bacause it’s calibrated to cook not so conductive dished. but if you can rase the temperature over the Curie’s point (around 400°C, if I remenber), then any magnetic remanence will be void, including the neodyne permanent magnets needed to move the heads (so the drive is dead for anyone). or if you can make it melt, you’re done with your data security. (the alloy used melts around 1700 °C so no need to have an oxy-acetylene kit, an ordinary butane camping heater will do it). good luck to all.

I recently participated in a Linux based security presentation at a local technical school and one of the most frequently askeds questions was “If I wipe my hard drive can the data still be retrieved?” to which our Computer Forensics expert answered a simple “Yes.” Why? Because there is an abundance of tools available for forensic level data retrieval. The average person will not need to worry about this level of retrieval however if you’ve got something to hide and the FBI is on your arse then you best drill some holes, smash it to bits, and send off to incinerators across the globe.

Thanks, Keith, for that reference. I like the explanation offered by Atlantis. In the article, it does mention “1 or maybe 2” indicating acknowledgement that 2 is better than 1, and the citation in the article mentions “a few passes” being good. So, the title may be a bit misleading, but the content isn’t really inaccurate just because of that. The main thing being disputed in the article is whether or not 35 passes is necessary, which is clearly -No. (re-read the article if you missed this, it refers to the 35-pass urban legend, etc.) Mainly, if you are knowledgeable enough to know to wipe a drive, what’s the difference between 1 and 3 wipes? Hardly worth debating over. Just do 3 to be on the safe side.

@Atlantis: Don’t underestimate your child :) If you are smart, your child probably is, too! Also, don’t underestimate your wife- if your child is smart, it probably came from her as well! :) (just a side note!)

if the hd data are overwrite only once with random data, then it is not possible to recover them

however, if the random data are no really random, or the random buffer window is repeated, it could be possible to detect patterns in the wiped data, having the right equipment of course

if the overwrite data are random, you may still not overwrite all hd data if you do that in os level, some parts of data may remain, and looking at hd erased in os level may well leave some parts of data there (mft, journal-data, shadow volume-data, swap data, unused space on end of files, etc)

using something like dban to overwrite all harddisk in a lower level is better, it however, cannot overwrite sectors mapped as bad by hd controller – as this happens automatically, you can never know which data was marked as bad sectors – they can still be read with proper equipment, so if you are (un)lucky some data can still be found even after dban

to be really sure, then only physical destruction is safe, either chemical, or better pure physical using external force, but the remaining hd plates parts must be small enough

A bit of common sense, I think most people will just need to stop the person who they sell their pc to from recovering any personal data or passwords to bank accounts, or some embarrassing pictures from being recovered. I don’t think the average user or the thief who steals your hard disk will have the highly specialized equipment required for recovering data from a drive which has been zero filled and reloaded with a fresh os. If you have data which would convict you of a crime, eg. kiddie porn then you deserve to be found out anyway!

My question to all of you is, do you really think somebody would go to great lengths and exspense to recover the crap that’s on your drives? Are you working on secret government projects? Are you receiving interplanetary e-mails? If the hard drive that you’re using has information that important on it, it probably wouldn’t be your responsibility to clean or destroy the drive in the first place.

Paranoia and the need to appear better informed, runs rampant in the world of geeks!

No, part of my job is to destroy sensitive data for my clients. That’s part of what I get paid to do, & I do lots of it. Companies I deal with upgrade & change systems continuously. Not only do I purchase, supply & maintain new workstations, notebooks & server equipment (servers, sans, backups, etc…) , I also recycle & destroy the info on old ones. You see, my clients don’t mind always spending tens of thousands of dollars to have the most up to date tools that they need & my budget for this is all very jaw dropping.
So…yes, they really think somebody would go to great lengths and exspense to recover the crap that’s on their old drives. Are they just being paranoid? Probably, but who cares. They pay me to for peace of mind. :)

If you have an old hard drive with sensitive information that you don’t want anyone to access, simply place the hard drive in a metal box with some holes in it. Place a brick with it and weld it shut. Then rent a boat and go out to a very deep part of the ocean and drop it. I call this the “Titanic method”.

use a helium balloon to raise a model rocket and your hdd payload into the stratosphere which ignite the chemical engine at a set altitude and launch the ballistic missile along trajectory for propulsion to achieve escape velocity and enter the final stage of free flight right into the sun!.. (what could possibly go wrong?..)

Sorry dudes. There is no way you can recover data from a modern drive using your ‘forensic software’ when it has been overwritten with 000, then 111 and finally been rnd written. I agree a OS format is not enough to erase all data but more then enough tools exist that will do a multi pass DOD wipe.

This information is quite dated. Do a bit of research into data recovery that does not use a source that is nearly 4 years old… I would think you were aware how quickly the computer world changes. Magnetic readings can be taken from overwritten disks and calculating flux change can allow for recovery of surprising amounts of information. Basic understanding of how data is stored onto a drive should make the statement that a single wipe is adequate obviously FALSE.

Nice article, but see how the “I’m a forensic super expert! I work for FBI. One wipe isn’t enough” guys appear and defend this myth, which got debunked years ago.

A single wipe (format with zeros) is enough. Data is impossible to recover, as confirmed by a recovery software company and true forensic experts, who’ve published their scientific study (ICISS 2008)… which I give more credibility than comments by so-called forensic experts (probably thinking using R-Studio instead of Recova makes them experts).

Their result (after a single wipe): If you know exactly the 8 positions of a byte, there’s a 0.97 % chance of reconstruction. Recovering anything beyond a single byte is even less likely.

This mean, for reconstructing of one lousy megabyte, you’d need to know 8388608 exact head positions and still have less than <1% chance for recovery, for each byte. I dare to say, it's impossible. If anyone thinks he knows better, like the guy who can recover after 35 passes, please prove. You'd put quite some skilled people to shame and get a lot of attention.

The next big myth is low level formatting. Still using a harddisk from the early 90s? If not, it's not possible, unless you're a skilled hardware technician who can program the eprom of a hdd. A true low level format would make your harddisk unuseable, overwriting factory settings. So a HDD ignores such request and just performs a wipe (blank zeros). The clueless user is still happy, thinking he performed a low level format.

Of course, everything will be ignored and users wll continue to do multiple wipes. It just feels more secure… I too am still tempted doing a multiple passes wipe, knowing it's bullshit and one pass is just as good as 35. ;-)

One wiping may “Erase” the data but that does NOT mean it can’t be recovered easily. I recover data for clients all the time. Just 2 days ago I have recovered 2 outlook pst files from a business client who wiped their system and did a factory oem partition reinstall of Windows 7 Home Premium 64bit. Then they installed MS Office after the system was reinstalled. One pst file was 2.76GBs and the 2nd one was 487MBs. How can “Why You Only Have to Wipe a Disk Once to Erase It” have any credibility?? The recovery software used is about $100.00, not Forensic quality either like Encase or AccessData Forensic Toolkit (FTK). Once wiping will NEVER be good enough EVER.

Oops!
You are mistaken assuming that 1 wipe is sufficient to erase a drive so that data cannot be retrieved. I agree with commenter “Keith” regarding forensic software. I have successfully restored select data and, in some cases, entire operating systems (OS) after a hard drive has been formatted using forensic data restoring software. For example: In Windows…if a user chooses to re-install an OS or to upgrade/downgrade to a different version of the OS using the “Custom Install” and “Format” option, the disk installation utility will launch a format utility that erases the drive contents (one pass only) and re-formats the drive with your choice of a disk allocation table (example FAT, NTFS…). Once in a while users screw up and forget to copy/backup data on the drive/disk prior to the format phase of the installation process. I have, on a few occasions, been called upon to restore the erased data and I have been successful in the process.

Wow, I forgot about this article…
Actually, my question about the induction burner was less about temperature and more about rapidly changing magnetic fields! Oh well, I’ll have to try it myself some time. A check sum should do the trick.

Reading all of the comments has been interesting. The urban legend of how many overwrites are required just won’t die. I have been a computer forensics expert witness from the late 70s (before the term “computer forensics” was coined) until 2005 when I retired. During that time I also spent two years as the engineering manager for a top secret military intelligence project that absolutely had to know about what could be recovered from a hard disk.

My position for many years has been that a single overwrite of anything completely destroyed any chance of data recovery. Is it theoretically possible to recover overwritten data? Yes, or at least maybe. Is it possible in any practical sense? No. Unlike some of the people commenting here I am not going to assert that you should believe me because of my superior knowledge and/or experience. But consider this: in the many debates I have engaged in on this topic I have always challenged – and sometimes even offered to pay – for any concrete evidence of recovery of overwritten data. No one has ever provided a single instance of recovery. It’s like religion, many believe it, no one can prove it.

As for the people commenting on this article that claim to have software that can retrieve overwritten data, they are either very naive or simple lying. If you have any understanding at all of the physics of hard disks and the controllers that they use you will realize that such is completely impossible. Just read Gutmann’s obsolete and flawed paper to understand that.

After reading many articles like this one, I’m becoming more and more concerned that all the “you realy don’t need to wipe the drive well” arguments are a deliberate NSA/FBI mis-information campaign so that they can the data easier when they need/(want) to.

This is a Reply to Chris Parillo. Hey Chris I caught you on Tech TV (Cool Show-Loved It)…You amase me, I’ve been Geeking with the whole specturm of PC’s/Laptops/Netbooks/Now Tablets and of coarse Macs. I’ve build-Repaired and scewed up with them all.. I’ve also subscribed to at least 2 PC Mag steadily since 1992.. Took a few single semester coarses at collegies-Vo-techs. Just not cut out for school and it’s been my experience that most of your non-Ivy-leage type schools are worthless (A Joke)
Anyways to end this, Your a real dedecated guy, I PDF and jouralize most of the How To Geek Articles. Thanks so Very Much and maybe you should start a instructional online Brass Tax some type of coarse. but once again Thanks for your Cut The Crap articles ETC. I’m 52 and since 1992 have spent most of my waking hours Geeking out (thats 20 yrs) (where did they go??) and I practically really know nothing, Don’t know why. Your How to Geek articles are always a abright spot in my 20 year equation…. Thanks Again Hope you Get this.

I work for one of the three remaining HD companies – and have for 20 years. PRML (Partial Response – Maximum Likelihood) recording means you will only have to over-right once – with any data (since it will be re-encoded before going on the the disk) to be sure the previous data is gone. Data is not stored as “Ones & Zeros” it is stored as rates of change in the magnetic. In short, a “11”after a “00” will look different than “11 following “10”. The new data (after one complete over-write) will be so different that the PRML tracker will not be able to follow the old data in anyway.

With the data capacities we have now, there is no extra margin for data to exist in “Wide” tracks or off-track scans.

Go to http://www.ccleaner.com, wipes its out, used by Mam Bell and other telephone companies. It tells you how to completely wipe it out. Passed government big brothering. Try it. No charge, by the way.

I find it odd. In these comments, we’ve talked about 35 passes, hitting drives with hammers and strange magnet fields. Putting them in acid. WTF?

If you’re disposing of a drive and don’t want it to ever be read, … Yeah, let’s go buy some specialized acid! Let’s get real. Most of these people who are commenting, as well as HTG, probably have no idea what they’re talking about. So be warned. I’m not going to comment on how “readable” any of it is, because I do not know. I know wiping with simple zero’s seems to thwart simple data recovery.

Also do you like how all these “super geeks” that have their amazing software that recovers the data after zero wipes … NONE of them mention what software they actually use? Why? My guess – they don’t have it.

Anyway, not saying it’s not possible to recover, but let’s be real.

If you’re disposing of a drive, instead of hitting it with a hammer (which probably could theoretically be recovered from) — or putting acid on it (wtf?), magnets or other stupid trick. Why not BURN it as the DoD (US Dept of Defense) suggests?

Great read. Especially the comments and debate that followed. I remember writing a paper on this years ago and I couldn’t stop laughing the entire time. I kept thinking, “The drive must be cast back into the fiery chasm from whence it came… One of you must do this.” lol

@Josh: Read your references again.. in RAM, data may last a minute or so, depending on the temperature. Also, the sources you referred to support, or don’t contradict, this article, if you read them carefully. The Wikipedia page quotes studies that say a single overwrite is all that is necessary, and the MIT article indicates that most people don’t know to overwrite their HDDs, or think that formatting is the same thing, which it isn’t. It did say that 12 were ‘properly sanitized’, meaning they were functional, but nothing could be recovered from them. It doesn’t speak of them recovering data from anything overwritten.

If you erase your HDD, defragment and grind the platters into dust, pass a Neodymium Magnet over it and burn it no one would be able to recover anything. You couldn’t even reassemble it!!! This method is overkill though.

Ice pick thru the drive, shatters the platters. Today’s drives are made of glass or ceramic, one good strike with a pick to go thru the outer case and the platters will shatter in to pieces. Lets deal in reality no matter how clean a “clean room” is it is virtually impossible to reconstruct a drive that has gone thru this method. Include some whole disk encryption, and data will never be recovered.

There is a command built into most modern drives (post 2001) that use the ATA command set. Software is used to START the process, but after it is started, it is a complete HARDWARE wipe. This ATA Command set wipe will wipe bad sector tables that are created on the fly over the lifetime of the drive. DBAN and other software wipes do not wipe bad sector tables.. so -even though those sectors are marked as bad data CAN be recovered from them. (Your drive does not securely erase them before marking them bad). Personally, I encrypt the drive (I use encryption all the time anyway!), then use the ATA command set to securely erase it. No “silver bullets”, no “voodoo” like half of these idiots believe in..(BTW, if you wipe 35 times, please do a raindance along with that! We could really use some rain!) -And you can rest assured when you sell your old drive on EBAY that no one is going to ever recover any data off your drive…

If you’re selling on a hard disk then this becomes important. However, I cannot imagine that scenario. I will keep a drive until it dies, or it becomes so technologically tiny – I held onto a 10 gig for a while – that it’s only worth chucking. Anyway, I strip them keeping the screws, as you never know. I remove the platters, then scratch them all over, while watching Family Guy or Terra Nova, then put them on a gas cooker ring until they glow red, and then hurl them in the recycle bin, but I do like the suggestion of using them as wind chimes – they do have a perfect ring. Daft thing is I haven’t had a credit card for over ten years, and none of the information is criminal, or dangerous to me. I think this is just the same as why we don’t simply cut credit cards in half, but instead cut them up into tiny pieces. The magnets inside, by the way, are very strong and fun to keep.

People who say oh we can break you’re encryption and get the files we needf. Yeah, whatever. Look up the article where the FBI failed to break Truecrypt. and by the way, if you encrypt the hard drive, then erase the header, Good friggin luck recovering it you moron. Saucer OUT

DID YOU KNOW?

The word “shoddy”, used to refer to something of poor construction or quality, dates back to the U.S. Civil War wherein “shoddy” was a type of cheap and inferior fabric that was the byproduct of wool processing and sometimes used for military uniforms. A shoddy-fabric uniform was of much lower quality than a proper wool garment.